Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Oct 2004 21:13:45 -0700
From:      Bruce M Simpson <bms@spc.org>
To:        David Gilbert <dgilbert@dclg.ca>
Cc:        Mike Tancsa <mike@sentex.net>
Subject:   Re: IPSec on current.
Message-ID:  <20041028041345.GC772@empiric.icir.org>
In-Reply-To: <16768.22876.926445.412412@canoe.dclg.ca>
References:  <16767.52282.937187.190919@canoe.dclg.ca> <6.1.2.0.0.20041027124606.09c40768@64.7.153.2> <16767.53956.366966.737912@canoe.dclg.ca> <6.1.2.0.0.20041027131824.10140c90@64.7.153.2> <m2fz3ztwct.wl@minion.local.neville-neil.com> <16768.22876.926445.412412@canoe.dclg.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 27, 2004 at 10:28:44PM -0400, David Gilbert wrote:
> George> Just for the record, yes, FAST_IPSEC does not support INET6.
> 
> Not supporting IPv6 is less of a showstopper than not supporting
> FAST_IPSEC as the later is required (for isntance) BGP.

I have a whole load of changes to bring in itojun's stuff from NetBSD
which makes TCP_SIGNATURE work with KAME IPSEC, and also performs input
verification. Unfortunately, due to the way this works, this is all or
nothing and needs some rethinking to have the correct granularity. But
it's definitely a step in the right direction. In future it'll probably
require that applications using TCP_SIGNATURE be able to speak PF_KEY.

This stuff is still quite a bit far off from being committed to -CURRENT,
though, and I probably won't have a chance to finish it for some time.

FAST_IPSEC not jibing with INET6 is a separate issue, but from what I
understand, it's quite possible, again, lack of committer time/resource.

Regards,
BMS



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041028041345.GC772>